Symptoms
- SQL-SQL linked server connections and distributed query execution fails due to an error message NT AUTHORITY\ANONOYMOUS LOGON after installing Windows security patches that are released in March 2019
- SQL linked server connection initiated from a client application that runs on a different (third server) machine which is different than two SQL Server machines that are part of the linked server or its “double-hop” scenario
- The SQL Servers Kerberos configuration and delegation settings are as expected and used to work without issues
- Either intermittent failures or works until the Kerberos ticket life time expires. For e.g. 10 hours.
- Issue started occurring after applying recent windows security patches that are released in the month of March 2019
Cause(s)
https://support.microsoft.com/en-us/help/4489878 - March 12, 2019—KB4489878 (Monthly Rollup)
Resolution
- Microsoft Windows team is working on releasing a fix and will provide an update in an upcoming release.
- The following are the workarounds to mitigate the issue scenario
- Purge the Kerberos tickets on the application server. The Kerberos tickets need to be purged before the ticket expiration. One of the ways to automate, setup a scheduled task on the application servers to purge the Kerberos tickets for every few hours are before the Kerberos token expires.
- Uninstall KB 4489878
- Some customer had to uninstall all the windows security patches that are released in the month of March 2019 from the SQL Server machines and reboot the machines
- If issue still happens even after uninstalling the windows security patches, restart the application server or the application that opens SQL-SQL linked server connection. e.g. Restart the IIS or the application pool that access SQL Server or the application which can be windows service, console or client / server application
- For more information please review 4489878
